Given that this setup is for a *home* server, we're forced to allow
peers for typical home IP ranges (such as `192.168.0.0/24`); however, we
should still not allow access to ranges for other containers or anything
else running in `localhost`.
Services will now have an additional set of security-oriented response
headers attached, and cache times re-jigged.
In addition, the `nginx-serve-static@` service has been removed in
favour of `nginx-serve-volume@`, which is simpler to set up and use.
Dovecot will, by default, have login processes run under a limited
`chroot` environment. However, this broke recently with the update to
Podman 4.4.1 and the removal of implicit `CAP_CHROOT` capabilities.
This commit re-adds these in place.
Slidge replaces Spectrum with immense improvement to bridging
capabilities, albeit with only experimental MUC support. Nevertheless,
the current state is sufficiently stable for a complete replacement.
This option has Dovecot only return directories in LIST commands, which
is a necessary workaround because of how our home and maildir locations
are the same, which sometimes has extraneous files (such as Sieve
scripts) appear in IMAP directory listings.
We should eventually move away from this unified location, but doing so
requires careful planning and migration.
This commit moves the `nginx-proxy-http` service back to separate
`UPSTREAM_HOST`, `UPSTREAM_PORT`, and `UPSTREAM_PATH` variables, which
allows for more granular configuration, e.g. `proxy_redirect` patterns.
Gitea and Gitlab allow for filtering push events based on the branch
name, so we assume that webhook payloads don't need to be filtered based
on the branch in these cases. Github doesn't allow for this sort of
filtering, so we have to specify a default branch to filter on.
This commit switches Hugo to a webhook-based building process, with
support for Github, Gitlab, and Gitea hooks (including local versions of
Gitea) initially. In addition, Hugo-based sites are now intended to be
served under a single volume, with ingress configuration pointing to
sub-paths into the volume.
Documentation for webhook setup and NGINX proxy configuration is still
underway, and will be filled in later.
This commit unifies the `UPSTREAM_HOST` and `UPSTREAM_PORT` environment
variables to a new `UPSTREAM_ENDPOINT` variable, making additional
customizations (such as a `proxy_pass` to a sub-path) possible.
Users in the `prosody_user` and `prosody_admin` groups will be granted
access to Prosody (as regular users and administrators, respectively),
making this a more flexible solution compared to IMAP.
New Gitea installations will now use LDAP authentication, typically
provided by the included `lldap` service, over SMTP authentication, as
this is is more flexible.
This sets the stage for moving common authentication from IMAP/Dovecot
to LDAP, which allows for more control over user information, as well as
a basic form of RBAC.
No services are currently set up to support LDAP -- support will follow
soon after this commit.
This commit adds a new service for Gitea, exposing HTTP and SSH ports by
default (SSH over 7920), and accepting authentication via the local SMTP
server. No users are otherwise created by default, and administration is
expected to happen either via CLI, or via a custom admin user.
Container volume backup logic has been moved to a (largely equivalent)
external script, allowing for future expansion of functionality. In
addition, a `rclone-pull@` service has been added and set up as a default
dependency for the `container-volume-restore@` service, allowing for
automatic set up of servers based on latest remote backups.
This commit updates Postfix to the latest version available for Debian
Bullseye, and switches the Docker entrypoint from an internal to a
publicly documented command, which is guaranteed to work in the future.